Skip to content
Find file Blame History Permalink
  • fpizlo@apple.com's avatar
    JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn...,... · 274b6f17
    fpizlo@apple.com authored 
    JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object
https://bugs.webkit.org/show_bug.cgi?id=105468

Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough.

Source/JavaScriptCore: 

Changed JSObject::ensure<IndexingType> methods to gracefully handle
InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning
null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it
by entering dictionary indexing mode, which forces the object to behave correctly even if there
is proxying or weird prototype stuff going on.
        
Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal
with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case
since we'd try to resize a butterfly on a JSString, but JSString has something other than
m_butterfly at that offset.
        
Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code
since those are now redundant.

* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::arrayify):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* runtime/JSObject.cpp:
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::ensureInt32Slow):
(JSC::JSObject::ensureDoubleSlow):
(JSC::JSObject::ensureContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
* runtime/JSObject.h:
(JSObject):

LayoutTests: 

* fast/js/dfg-ensure-array-storage-on-string-expected.txt: Added.
* fast/js/dfg-ensure-array-storage-on-string.html: Added.
* fast/js/dfg-ensure-contiguous-on-string-expected.txt: Added.
* fast/js/dfg-ensure-contiguous-on-string.html: Added.
* fast/js/jsc-test-list
* fast/js/script-tests/dfg-ensure-array-storage-on-string.js: Added.
(foo):
* fast/js/script-tests/dfg-ensure-contiguous-on-string.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138201 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    274b6f17